Windows Server AD domain control server upgrade/migration (five major role transfers of AD domain control)
This article mainly introduces how to migrate/upgrade the domain control server in the existing domain environment. For a domain-structured network, the importance of domain controllers is self-evident. It would be a disaster if the only domain controller in the network suddenly crashed. Therefore, if possible, it is recommended to have additional domain controllers in the network. The domain controller can perform user authentication, login, etc., but in order to use domain resources normally, the five roles of the domain controller need to be transferred to additional domain controllers.
This article is a record of the operation of migrating a single domain control from Windows Server 2012 to a single domain control from Windows Server 2022. You can refer to the migration of other versions of domain control. Please refer to the actual environment.
————————————————
Original work is not easy. Please do not reprint without my permission. If you find it, you will be investigated. Thank you.
Reference links:
https://www.linuxprobe.com/ad-transfer-roles.html
https://blog.csdn.net/jamesdodo/article/details/81740645
As mentioned above : Since the domain control server is an extremely important business server, when performing related upgrade operations, data backup and multi-activation should be carried out in advance to prevent the domain control service from crashing to ensure the security and integrity of the data and the continuity of the business. .
Since domain controllers can coexist on primary and secondary servers, it can avoid some upgrade conflicts that may lead to abnormal data or service failures. When a new domain controller fails, the operation can be rolled back.
Secondly, pay attention to the server naming specifications, user name and password specifications, and database name naming specifications.
Plan steps:
| step | Instructions |
|---|---|
| Newly installed 2022AD domain controller | Add additional 2022AD domain control servers to an existing domain |
| Test whether domain control and other functions are normal under coexistence conditions | Create new domain users and capture users |
| Migrate domain control server functions to new domain control | Domain control migration of five major functions |
| DNS IP modification, old domain control server uninstallation of domain control and DNS function testing function | Verify that applications and clients are normal after domain upgrade |
New domain control server installation
First install the Windows Server 2022 server, open - Server Manager - Add roles and functions.
Install functions for this server.
Check the AD domain service, add functions, confirm and wait for the installation to complete.
After installing the function, find AD DS on the left and click on the upper right corner to enter the domain control configuration.
Configure a domain control server and join an existing domain
Follow the prompt in the upper right corner and select Operation to promote this server to a domain control server.
Select to add the domain control server to the existing domain. After entering the domain, you will be prompted to enter the account and password.
Enter the original domain control/domain administrator account and password
to retrieve the authentication domain and domain. Control Administrator Identity
Next, specify the domain control function of the server as the server that will take over the original domain control, and check the DNS domain name system server and global catalog function. Set restore mode DSRM password.
Copied from the original domain control server
. Configure the location of the relevant storage folder. If you have special needs, please change the directory location as required.
After the relevant configuration is confirmed, the relevant prerequisites will be checked. If any prerequisites need to be updated or the framework installed, please operate as required. If there is no system automatic operation, you will be asked to restart the server.
Migrate the domain control role to the new domain control server
Open the cmd command line and first verify that the five major roles are on the 2012 original AD domain control server.
netdom query fsmo
To migrate roles when both the primary and secondary domain controllers are running normally, use Transfer:
ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server AD2022 //Connect to the secondary domain controller
server connections: q //quit to up level return to the previous level
fsmo maintence: transfer naming master
fsmo maintence: transfer PDC
fsmo maintence: transfer RID master
fsmo maintence: transfer schema master
fsmo maintence: transfer infrastructure master
Verify again whether the five major functional roles have been transferred to the new domain control server.
netdom query fsmo
Test whether domain control and other functions are normal under coexistence (create new domain users and capture users)
The original domain control server is downgraded and deregistered.
The new domain control server is already the primary domain control. Next, you need to uninstall the AD domain function from the old domain control server and exit the domain. Log in
to the old domain control server and select - Add roles and functions - Delete roles and functions.
After selecting this computer, Choose to uninstall AD and its functions
. Follow the prompts to choose to downgrade this domain control server
. Follow the AD domain control configuration wizard to delete related functions
. Delete the DNS function and enter the domain control administrator account and password.
Confirm downgrade
After the downgrade is completed, you will be prompted to restart the server.
After restarting, perform the de-domain operation of the original domain control server and transfer the server from the domain to the workgroup.
Note: At this time, the DNS IP has been switched from the original IP of the old domain control in 2012 to the IP of the new domain control in 2022. Pay attention to modifying the DNS configuration of the relevant servers in the domain. Or change the IP of the new domain control server to the IP of the original domain control server.